Security data query examples

This guide provides ready-to-use NRQL queries for common security monitoring and analysis scenarios. Copy these queries into the query builder or add them to custom dashboards to gain deeper insights into your vulnerability data.

For information about the underlying data structure, see Security data structure reference.

Executive reporting

Total open vulnerabilities by severity

Get a high-level view of your vulnerability exposure:

FROM Vulnerability
SELECT count(*) as 'Total Vulnerabilities'
WHERE state = 'OPEN'
FACET severity
SINCE 1 day ago

Critical and high severity trends

Track how critical vulnerabilities change over time:

FROM Vulnerability
SELECT count(*) as 'Critical & High Vulnerabilities'
WHERE severity IN ('CRITICAL', 'HIGH')
AND state = 'OPEN'
TIMESERIES AUTO
SINCE 30 days ago

Vulnerabilities by entity

Identify which applications or hosts have the most vulnerabilities:

FROM Vulnerability
SELECT count(*) as 'Vulnerability Count'
WHERE state = 'OPEN'
FACET entity.name
LIMIT 20
SINCE 1 day ago

Vulnerability distribution across portfolio

Understand the spread of vulnerabilities:

FROM Vulnerability
SELECT percentage(count(*), WHERE severity = 'CRITICAL') as 'Critical %',
       percentage(count(*), WHERE severity = 'HIGH') as 'High %',
       percentage(count(*), WHERE severity = 'MEDIUM') as 'Medium %',
       percentage(count(*), WHERE severity = 'LOW') as 'Low %'
WHERE state = 'OPEN'
SINCE 1 day ago

Prioritization and risk assessment

High-priority vulnerabilities

Find vulnerabilities with high exploit probability:

FROM Vulnerability
SELECT cveId, affectedPackage, affectedVersion, cvssScore, epssPercentile
WHERE epssPercentile > 90
AND state = 'OPEN'
ORDER BY epssPercentile DESC
LIMIT 50
SINCE 7 days ago

Active ransomware vulnerabilities

Identify vulnerabilities used in ransomware campaigns:

FROM Vulnerability
SELECT cveId, affectedPackage, cvssScore, entity.name
WHERE activeRansomware = true
AND state = 'OPEN'
FACET cveId, entity.name
SINCE 30 days ago

Newly detected critical vulnerabilities

Monitor for new critical findings:

FROM Vulnerability
SELECT cveId, affectedPackage, affectedVersion, entity.name, detectedAt
WHERE severity = 'CRITICAL'
AND state = 'OPEN'
AND detectedAt > ago(24 hours)
ORDER BY detectedAt DESC

Vulnerabilities requiring immediate attention

Combine multiple risk factors:

FROM Vulnerability
SELECT cveId, entity.name, affectedPackage, cvssScore, epssPercentile
WHERE (
  (severity = 'CRITICAL' AND epssPercentile > 85) OR
  (activeRansomware = true) OR
  (epssPercentile > 95)
)
AND state = 'OPEN'
FACET cveId, entity.name
SINCE 7 days ago

Exposure and remediation tracking

Average vulnerability exposure time

Calculate mean time to remediate (MTTR):

FROM Vulnerability
SELECT average((resolvedAt - detectedAt) / 86400) as 'Avg Days to Resolve'
WHERE state = 'CLOSED'
FACET severity
SINCE 90 days ago

Longest-running open vulnerabilities

Find vulnerabilities that have been open for extended periods:

FROM Vulnerability
SELECT cveId, entity.name, affectedPackage, detectedAt,
       (max(timestamp) - detectedAt) / 86400 as 'Days Open'
WHERE state = 'OPEN'
FACET cveId, entity.name
ORDER BY 'Days Open' DESC
LIMIT 20
SINCE 90 days ago

Remediation velocity

Track how quickly you're resolving vulnerabilities:

FROM Vulnerability
SELECT count(*) as 'Vulnerabilities Resolved'
WHERE state = 'CLOSED'
FACET weekOf(resolvedAt)
SINCE 90 days ago
TIMESERIES 1 week

Vulnerabilities by age bucket

Group vulnerabilities by how long they've been open:

FROM Vulnerability
SELECT count(*) as 'Count'
WHERE state = 'OPEN'
FACET cases(
  WHERE (now() - detectedAt) / 86400 <= 7 as '0-7 days',
  WHERE (now() - detectedAt) / 86400 <= 30 as '8-30 days',
  WHERE (now() - detectedAt) / 86400 <= 90 as '31-90 days',
  WHERE (now() - detectedAt) / 86400 > 90 as '> 90 days'
)
SINCE 180 days ago

Package and library analysis

Most vulnerable libraries

Identify libraries introducing the most vulnerabilities:

FROM Vulnerability
SELECT count(*) as 'Vulnerability Count'
WHERE state = 'OPEN'
FACET affectedPackage
ORDER BY count(*) DESC
LIMIT 10
SINCE 30 days ago

Libraries requiring upgrades

Find packages with available fixes:

FROM Vulnerability
SELECT affectedPackage, affectedVersion, fixedVersion, count(*) as 'Vulnerable Entities'
WHERE state = 'OPEN'
AND fixedVersion IS NOT NULL
FACET affectedPackage, affectedVersion, fixedVersion
ORDER BY count(*) DESC
LIMIT 20
SINCE 7 days ago

Vulnerability detection by source

Understand which integrations are finding vulnerabilities:

FROM Vulnerability
SELECT count(*) as 'Detections'
FACET source
SINCE 30 days ago

Java dependencies analysis

Focus on Java-specific vulnerabilities:

FROM Vulnerability
SELECT count(*) as 'Vulnerabilities'
WHERE affectedPackage LIKE '%.jar'
OR affectedPackage LIKE '%maven%'
FACET affectedPackage, severity
SINCE 30 days ago

Entity-specific queries

Application vulnerability summary

Get vulnerability counts for a specific application:

FROM Vulnerability
SELECT count(*) as 'Total',
       filter(count(*), WHERE severity = 'CRITICAL') as 'Critical',
       filter(count(*), WHERE severity = 'HIGH') as 'High',
       filter(count(*), WHERE severity = 'MEDIUM') as 'Medium',
       filter(count(*), WHERE severity = 'LOW') as 'Low'
WHERE entity.name = 'YOUR_APP_NAME'
AND state = 'OPEN'
SINCE 1 day ago

Host vulnerability breakdown

Analyze vulnerabilities for infrastructure hosts:

FROM Vulnerability
SELECT count(*) as 'Vulnerabilities'
WHERE entityType = 'HOST'
AND state = 'OPEN'
FACET entity.name, severity
LIMIT 50
SINCE 7 days ago

Entities with no recent scans

Identify entities that may not be reporting vulnerability data:

FROM Vulnerability
SELECT entity.name, max(timestamp) as 'Last Scan'
FACET entity.name
HAVING max(timestamp) < ago(7 days)
SINCE 30 days ago

Compliance and reporting

Vulnerabilities older than 30 days (SLA tracking)

Monitor vulnerabilities exceeding your remediation SLA:

FROM Vulnerability
SELECT count(*) as 'Overdue Vulnerabilities',
       entity.name,
       severity
WHERE state = 'OPEN'
AND detectedAt < ago(30 days)
FACET entity.name, severity
SINCE 180 days ago

Critical vulnerability response time

Track how quickly critical vulnerabilities are addressed:

FROM Vulnerability
SELECT percentile((resolvedAt - detectedAt) / 86400, 50, 75, 90, 95) as 'Days to Resolve'
WHERE severity = 'CRITICAL'
AND state = 'CLOSED'
SINCE 90 days ago

Monthly vulnerability metrics

Generate monthly reports:

FROM Vulnerability
SELECT count(*) as 'Total Detected',
       uniqueCount(entity.guid) as 'Affected Entities',
       filter(count(*), WHERE severity IN ('CRITICAL', 'HIGH')) as 'High Risk'
FACET monthOf(detectedAt)
SINCE 180 days ago
TIMESERIES 1 month

Advanced analysis

Vulnerability blast radius

Identify vulnerabilities affecting many entities:

FROM Vulnerability
SELECT cveId, count(entity.guid) as 'Affected Entities', max(cvssScore) as 'CVSS'
WHERE state = 'OPEN'
FACET cveId
HAVING count(entity.guid) > 5
ORDER BY count(entity.guid) DESC
LIMIT 20
SINCE 30 days ago

Security hygiene score

Calculate a custom security score:

FROM Vulnerability
SELECT 100 - (
  filter(count(*), WHERE severity = 'CRITICAL') * 10 +
  filter(count(*), WHERE severity = 'HIGH') * 5 +
  filter(count(*), WHERE severity = 'MEDIUM') * 2 +
  filter(count(*), WHERE severity = 'LOW') * 0.5
) as 'Security Score'
WHERE state = 'OPEN'
FACET entity.name
SINCE 1 day ago

Vulnerability trends by type

Compare application vs infrastructure vulnerabilities:

FROM Vulnerability
SELECT count(*) as 'Vulnerabilities'
WHERE state = 'OPEN'
FACET entityType
TIMESERIES AUTO
SINCE 30 days ago

Using these queries

In the query builder

Go to one.newrelic.com > All capabilities > Query your data
Copy and paste any query from this page
Click Run to see results
Adjust time ranges and filters as needed

In custom dashboards

Create a new dashboard or edit an existing one
Add a widget and select Query builder
Paste the query and configure visualization
Save the widget to your dashboard

In alerts

Go to Alerts > Create a condition
Select NRQL query as the condition type
Use queries that return counts or thresholds
Configure alert thresholds and notification channels

For more information on alerting, see Set up vulnerability alerts.

Tips for customizing queries

Replace placeholders

'YOUR_APP_NAME' - Replace with your actual application name
'YOUR_ENTITY_GUID' - Replace with your entity's GUID
Time ranges (e.g., SINCE 30 days ago) - Adjust to your needs

Combine with other data

Join vulnerability data with APM or Infrastructure metrics:

FROM Vulnerability, Transaction
SELECT count(Vulnerability.cveId), average(Transaction.duration)
WHERE Vulnerability.entity.guid = Transaction.appId
AND Vulnerability.state = 'OPEN'
FACET Vulnerability.entity.name
SINCE 1 day ago

Export results

All query results can be:

Downloaded as CSV
Added to dashboards
Exported via API
Shared with your team

What's next?

Data structure reference

Learn about event types and attributes in detail

Set up alerts

Create alerts based on these queries

NRQL documentation

Learn more about NRQL syntax

Executive reporting.css-21sua1{background:none;border:none;width:0;padding:0;}